Overview

overview

10

Static

static

3295138274...25.exe

windows7-x64

10

3295138274...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2022, 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3295138274c034c16522257d6c18f225.exe

  • Size

    879KB

  • MD5

    3295138274c034c16522257d6c18f225

  • SHA1

    6f93c0800221d86ec8de5636195383f91cb9a336

  • SHA256

    c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

  • SHA512

    7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

Score
10/10
quasarvenomratbomboclatevasionratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Bomboclat

C2

185.236.78.58:4782

Mutex

VNM_MUTEX_mtYiaCcGzveD5dsvgE

Attributes
  • encryption_key

    1WEWg6889GqBWLC1XKxQ

  • install_name

    WndowsSecurityUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Wndows Dfender Update Startup

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 8 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
    "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
      "{path}"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Loads dropped DLL
      • Windows security modification
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:968
      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Wndows Dfender Update Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
          4⤵
            PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gk02s2NCgWJT.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:632
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:1368
            • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
              "C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe"
              4⤵
              • Suspicious use of SetThreadContext
              PID:1508
              • C:\Users\Admin\AppData\Local\Temp\3295138274c034c16522257d6c18f225.exe
                "{path}"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1756

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Gk02s2NCgWJT.bat
        Filesize

        229B

        MD5

        0ebf34aadc63733a46a7f0de4be4fb4d

        SHA1

        4a25060b036e81f7991bc4bdabd204af07118634

        SHA256

        5cd22e2dea6ca8a6c5cfc62485a32fb04b023bc81509f9fbab82709133193393

        SHA512

        6ef0459e4dfb00d4b5917fac512b46b3f3bc642751fd6e93cff9fc081dbb8d862285d1c7f608ef1557043b6c8842e75ae90cdaef17a1af988afdf0c111f3bfb9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • \Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • \Users\Admin\AppData\Roaming\SubDir\WndowsSecurityUpdate.exe
        Filesize

        879KB

        MD5

        3295138274c034c16522257d6c18f225

        SHA1

        6f93c0800221d86ec8de5636195383f91cb9a336

        SHA256

        c063f14a72b49e90fe7862e4402540c2227abf2f063c9a8f63af90d4a6ab5e5b

        SHA512

        7fb76b1bd0ec1d7e631c44d9cb82f06c6f2145b9a7797c5c8b18f3752bf18daec6ba57802bd178f630bcb9f9f20fc4486568a92e474d6499366e57f3e5bc81a3

        Download Submit

      • memory/800-82-0x000000006EA90000-0x000000006F03B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/800-81-0x000000006EA90000-0x000000006F03B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/820-78-0x0000000001010000-0x00000000010F2000-memory.dmp

        Filesize

        904KB

        Download

      • memory/1508-106-0x00000000010D0000-0x00000000011B2000-memory.dmp

        Filesize

        904KB

        Download

      • memory/1612-70-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-65-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-59-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-64-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-68-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-62-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/1612-60-0x0000000000400000-0x00000000004B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2020-54-0x0000000000A00000-0x0000000000AE2000-memory.dmp

        Filesize

        904KB

        Download

      • memory/2020-55-0x0000000075731000-0x0000000075733000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2020-56-0x0000000000290000-0x000000000029A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2020-57-0x00000000054F0000-0x00000000055AC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2020-58-0x0000000000920000-0x00000000009D6000-memory.dmp

        Filesize

        728KB

        Download